I emailed the author, Rainer Gerhards. He said this: "I've had a quick look at the code. It looks indeed like an easy fix, but I think there is no issue at all (thus the TODO is not yet done): as far as I remember, this is only called from within the RELP application and not based on anything received from the wire. So it can not be exploited, because the current RELP code never generates a greeting of that size (it less than 512 bytes). But I will check tomorrow in more detail."
He hasn't gotten back to me yet in a couple days, so I assume no further surprises appeared. I've sent a follow up. As for where the function is used... It's not exposed as part of the UI, but it is in the symbols table. It's used twice in the source, but I'm not qualified to tell if they're safe uses myself. It would seem to depend on how long the 'offers' array is. -- [MIR] librelp https://bugs.launchpad.net/bugs/388606 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
